A recent Salesforce data breach involving the Salesloft Drift integration has affected multiple organizations, including cybersecurity company Tenable. The company confirmed that limited customer contact and support case data were exposed but emphasized that no core product data was compromised.

Scope of exposed information

Tenable reported that information accessed included names, email addresses, phone numbers, business regions, and details submitted through support case subject lines and descriptions. The company said core platform and product data were not impacted, according to its investigation and official disclosures. These details reflect Tenable’s own statements about the incident. 

How attackers exploited Salesforce integrations

Investigators have tied the breach to an ongoing cyber campaign targeting organizations that use Salesforce with the Salesloft Drift marketing tool. Reports from outlets like CRN and Cybersecurity News note that attackers leveraged compromised OAuth tokens and credentials to extract sensitive data. Other affected companies reportedly include Palo Alto Networks, Zscaler, Cloudflare, Proofpoint, and CyberArk. 

Tenable’s remediation efforts

Following its discovery of the breach, Tenable says it:

• Revoked and rotated credentials for Salesforce and related services
• Disabled and removed the Drift integration from its Salesforce environment
• Hardened access controls across its SaaS infrastructure
• Applied threat intelligence from Salesforce and third-party security researchers
• Deployed continuous monitoring tools to detect further suspicious activity

Tenable stressed that its quick response was meant to reduce the risk of additional exposure.

Salesforce data breach highlights SaaS supply chain risks

The Salesforce–Salesloft Drift breach reflects a growing trend of attackers targeting SaaS ecosystems rather than traditional endpoints. As organizations integrate more third-party apps into platforms like Salesforce, the risk of exposure rises. Experts recommend stronger identity and access management, frequent credential rotation, and strict least-privilege policies.

Industry reactions

CRN reported that security vendors have begun auditing Salesforce integrations in response to the campaign. Salesforce has not released detailed findings about the attack, though third-party researchers have confirmed that stolen tokens and integration misconfigurations were likely factors.

Nick Percoco, chief security officer at cryptocurrency exchange Kraken, told Reuters in related reporting that similar phishing and impersonation schemes remain common. He noted that the challenge of validating legitimate recruiters, partners, or SaaS connectors is growing as attackers refine their methods.

Best practices for organizations

Cybersecurity specialists recommend the following to help mitigate risks:

1. Audit all third-party integrations to confirm necessity and tighten permissions.
2. Implement strong identity and access management policies with multi-factor authentication.
3. Monitor and rotate API keys and OAuth tokens to reduce exposure time.
4. Use SaaS Security Posture Management (SSPM) solutions for visibility into misconfigurations.
5. Run tabletop exercises simulating SaaS-based supply chain breaches to improve readiness.

Transparency and disclosure

Tenable’s approach reflects growing industry pressure for transparency. While no core data or platform systems were compromised, the breach illustrates how third-party connections can create unintended entry points for attackers.

As supply chain attacks become more common, customers and vendors are placing a higher priority on full disclosure of security incidents to maintain trust. Analysts see this as part of a broader shift toward proactive security communication.

The Salesforce data breach tied to Tenable and other vendors underscores the complexity of securing interconnected SaaS environments. While Tenable’s investigation and actions appear to have limited further risk, experts emphasize the importance of reviewing integrations, implementing zero-trust principles, and strengthening response plans.

Organizations relying on cloud-based tools should view this event as a reminder to adopt continuous monitoring, limit access permissions, and proactively address vulnerabilities before they are exploited.